b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
Size

493KB
MD5

a066bd1a442fa3ce477698fdac265a82
SHA1

0bd235fdf4c5b53f9beb2ab5d8bad24e47b14d6c
SHA256

b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077
SHA512

3a2886331a271be62e886b43e537520961020f5b9416f07dd6e0800d37901451cafc79b2e15ca1074697a77cb946d3ec56840f875fe99399beca82f0a75c77f7
SSDEEP

12288:GgZXEAO/BUdG3gVdt7KsX+tZk0F+rct6ag2I29t6hWfAIi:GgZXoZUTVdt7Kzk0FUXag2INz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	steam.exe

Loads dropped DLL 5 IoCs

pid	Process
1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
2028	steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2028	1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	28
PID 1716 wrote to memory of 2028	1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	28
PID 1716 wrote to memory of 2028	1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	28
PID 1716 wrote to memory of 2028	1716	b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe	28

C:\Users\Admin\AppData\Local\Temp\b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe
"C:\Users\Admin\AppData\Local\Temp\b41101bfd27f9656523c4a5772253287bb66e159d46f83f093cae1d57177f077.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crashhandler.dll

Filesize
8KB

MD5
ad6c097448711213bf8181a3dbea7c18

SHA1
d6603665e144e9c81317731eee738d78b9ec4f40

SHA256
c1da7ad01cef8281118a88367329328c4741021729a5d67f9f911aa21e942936

SHA512
cc7a0b647644e1692b2cd97d6867be3252eab9d461e5d9565ef7f9eefa41de1e5c3078a2ce6d9f4297061193035519522a31b233c4c4a291bbdd4f4666be3a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam_monitor.exe.log

Filesize
115B

MD5
3fbae50e5588fa4a8d38c9f47a632150

SHA1
da7ec8352e293eee9c82700a0de6665c70bdca80

SHA256
8abf15ff24acff886dfd9085d3d51138977d4bd8e280ae225592718ffbb448ce

SHA512
ad2584214cac1ae02d212093d35dd05f3d8cbba5cc13641b7e190241351c4d58a52e0a78d1dbd2f6fb5bbd3470588b7799f2fcb2fd8183bc912be57326fd14a0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\crashhandler.dll

Filesize
8KB

MD5
ad6c097448711213bf8181a3dbea7c18

SHA1
d6603665e144e9c81317731eee738d78b9ec4f40

SHA256
c1da7ad01cef8281118a88367329328c4741021729a5d67f9f911aa21e942936

SHA512
cc7a0b647644e1692b2cd97d6867be3252eab9d461e5d9565ef7f9eefa41de1e5c3078a2ce6d9f4297061193035519522a31b233c4c4a291bbdd4f4666be3a41

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\steam.exe

Filesize
581KB

MD5
079c498c46473e8c027c527df8f39f64

SHA1
65d258f2a3b36680bc83e79f971eefe9e58dda62

SHA256
62cf9e4961ee96b6015d90f23ef2fda873c6da59f107d0873bb19f61c5a4ff22

SHA512
a14ff4626b855987cc2ec98b0857d7f3fe3bbb20acd1f7c38fad17c59ccd5dbd8cd0a47ce5a1afc0f83dca4b7909e7a3034d5d3ae1e1dba229f46cdf59c7fde6

Download Submit